Tiny Prints, Treat and Wedding Paper Divas, owned by Shutterfly Inc. notified customers of a data breach to their online system by hackers. The hacking may have exposed customer usernames and passwords. The company is urging customers to change all usernames and passwords to each site.

The Texas Health and Human Services department discovered a data breach it appears by "chance" after terminating their relationship with Xerox Corporation.

"In August, after the transition to a new Medicaid vendor, the Texas
commission filed a lawsuit against Xerox, alleging that the contractor
had failed to turn over computer equipment, as well as paper records,
containing Medicaid and health information for 2 million individuals,
"putting the state out of compliance with federal regulations and at
risk of massive federal fines," says a statement issued by Texas HHSC in August."

The Texas Health and Human Services department has notified individuals of the data breach communicating that their information may have been compromised. The information includes "Medicaid clients' names, birthdates, Medicaid numbers, and medical and
billing records related to care provided through Medicaid, such as
reports, diagnosis codes and photographs."

The State Compensation Insurance Fund, a state agency that provides workers compensation insurance to businesses informed customers of a data breach when one of their brokers suffered a data breach to their system.

Lucy Gomez Blankley Interpreting Inc., a provider of Stat Fund was the victim of a computer hack that resulted in theft of emails in which contained information regarding patient workers compensation claims.

Godiva notified employees of the company of a data breach when a Human Resources employee, who was traveling to retail sites, had a briefcase stolen from a car. The briefcase contained a lap top that had employee information on it. The lap top was not encrypted.

The information included names, addresses, Social Security numbers and drivers license numbers.

The company is providing Experian ProtectMyID Alert for 12 months for free. For questions call 1-866-328-1993 Monday through Friday 6:00 a.m to 6:00 p.m Pacific time.

Sony Pictures Entertainment has suffered a data breach when hackers posted threatening messages on company computers.

According to a report the threat "began with a skull appearing on screens, and then a strangely ominous
message telling users they’d been hacked by something called #GOP. It
gets more bizarre as the message claims this is just the beginning and
then threatens to release documents by 11 PM this evening."

The company has completely shut down all email communications and employees are not allowed to use company computers while the entertainment giant works through where and what the threat is and if it is real. The original threat did not give specifics or communicate any kind of "ransom" for the data that had supposedly been hacked.

UPDATE (12/5/2014): A data security analyst has discovered information leaked by the hacker (s) goes beyond what was originally reported.

According to the security company Identity Finder, showed that leaked files included vast amount of personal data on "more than 47,000 celebrities, freelancers, and current and former Sony employees".

"An analysis of 33,000 leaked Sony Pictures documents by data security
software firm Identity Finder showed that the leaked files included the
personal information, salaries and home addresses for employees and
freelancers who worked at the studio. Some of the celebrities include
Sylvester Stallone, director Judd Apatow and Australian actress Rebel
Wilson, according to the Wall Street Journal, which first reported on the analysis".

Additional information such as contracts, termination dates, termination reason and other data was also leaks. Unfortunately these files were in Excel format without any password protection.

UPDATE (12/16/2014): "Sony Pictures Entertainment has been sued
by two self-described former employees who accuse the movie
studio of failing to protect Social Security numbers, healthcare
records, salaries and other data from computer hackers who
attacked it last month.

The proposed class action lawsuit against Sony Corp's
studio was filed on Monday in federal court in
Los Angeles. It alleges that the company failed to secure its
computer network and protect confidential information."

The US State Department shut down one of its computer networks when it was believed to have been hacked. Experts believe this is related to the breach to the White House's unclassified computer network.

On Monday Jeff Rathke, a State Department spokesperson said "the department had recently detected "activity of concern" in portions of the system handling non-classified emails, and the weekend maintenance included security improvements responding to the breach."

on Monday, Rathke said
the department had recently detected "activity of concern" in portions
of the system handling non-classified emails, and the weekend
maintenance included security improvements responding to the breach.

on Monday, Rathke said
the department had recently detected "activity of concern" in portions
of the system handling non-classified emails, and the weekend
maintenance included security improvements responding to the breach.

The Seattle Public School District announced in a letter to parents Thursday about a data breach that involved their children's information.

"Late Tuesday night Seattle Public Schools learned that a law firm
retained by the district to handle a complaint against the district
inadvertently sent personally identifiable student information to an
individual involved in the case. The district promptly removed the law
firm from the case and is working to ensure that all improperly released
records are retrieved or destroyed."

Over 800 special education students were involved in a breach. The information involved in the breach included their names, addresses, student identification numbers, test scores and disabilities.

The Reeve-Wood Eye Center reported a data breach to the California Attorney General's office. No specific details were provided as to the scope of the breach, type of breach or individuals affected.

Information Source:
California Attorney General

records from this breach used in our total:
0

November 13, 2014

U.S. Weather SystemWashington, District Of Columbia

GOV

HACK

Satellite systems that forecast weather

Officials from the National Oceanic and Atmospheric Administration (NOAA), which includes the National Weather Service, have notified officials of a data breach to the National Weather Service's satellite network.

It appears the system was affected in September, but officials did not communicate that there was a problem until late October. an NOAA spokesman Scott Smullen did confirm that there were hacks and communicated that "incident response began immediately".

Dallas-based Onsite Health Diagnostics, a third party contractor with state of Tennessee, who completes medical testing and health screenings for various government insurance plans has suffered a data breach. The company discovered hackers had gained access to a computer system that houses personal information for members of the Tennessee's State Insurance Plan, Local Government Insurance Plan and Local Education Insurance plan.

The information affected in the breach included health benefit member names, dates of birth, addresses, emails, phone numbers and gender.

The US Postal Service is releasing information today that they have been the victim of a cyber attack with Chinese hackers being suspected of hacking into their computer networks compromising the information of over 800,000 employees.

Currently the FBI is investigating the breach and it appears that information obtained included names, dates of birth, Social Security
numbers, addresses, dates of employment. According to officials, all postal service employees were affected and they are not yet clear why their information was of interest to these hackers. They are not seeing any evidence of customer information being compromised. The investigators are calling the hackers "sophisticated actors". More information will be posted as additional information comes out with the investigation.

Anthem Blue Cross in California sent text emails with personal details about individuals health information and member specific demographic information such as age, language spoken, specific medical test received or not received as part of the text message.

The company is reviewing whether or not they have to report this information as part of the specific notification laws in California, which does include the breach of medical history, mental or physical condition, medical treatment or diagnosis by a health care professional.

A spokesperson for Blue Cross stated that they are investigating the incident.

Fidelity National Financial, Inc (FNF) informed customers of a breach to their system due to a targeted phishing attack to certain employees.

FNF is the parent company of Ticor Title Company of Oregon, Ticor Title of Nevada, Inc., Lawyers Title Company, and Lawyers Title of Oregon, LLC, which provides title insurance and real estate settlement services in Oregon, Nevada, and/or California.

From April 14, 2014 and April 16, 2014 a certain number of employees were targeted in a phishing attack that allowed the hackers to obtain username and password information for employees of the company. The company hosts their email with a third party vendor and after investigating did not find any evidence that the hackers were able to breach FNF's internal network or systems.

However, the investigation did reveal that personal information was obtained including Social Security numbers, bank account numbers, credit/debit card numbers and driver's license numbers.

The company is offering 12 months free of AllClear ID to those affected. Those affected can call 1-877-676-03741-877-676-0374 to reach an AllClear investigator.

The Palm Springs Federal Credit Union was conducting an audit of their systems and realized that one of their external hard drives that contained customer data was missing.

The information contained on the drive included customer names, addresses, Social Security Numbers and account numbers.

The credit union is offering AllClearID and AllClearID Pro for 12 months at no cost to those who were affected by this breach. For those with questions they can call 1-866-979-25951-866-979-2595 or the credit union at dpitigliano@palmspringsfcu.com.

UPDATE (1/16/2015): The National Credit Union Administration has announced that it will be paying Palm Springs Federal Credit Union $50,000 to help cover expenses incurred due to a data breach the credit union suffered. The regulatory agency is taking responsibility for the breach.

Reeves International Inc. is informing customers of a data breach of one of their online retail sites called Breyer Horses (www.breyerhorses.com). On September 9, 2014 the company discovered an unauthorized party installed malware on the server hosting the Breyer Horse website, the malware compromised customers' personal data. The dates of the attack were from March 31, 2013 through October 6, 2014.

On October 21, 2014 SCORE discovered an unauthorized access to their server that processes customer payment information.

According to the company on September 4, 2014 unauthorized access to their website compromised personal information of individuals who completed a transaction.

The information includes names, payment card account numbers, expiration dates of cards, SCORE account numbers. Those who were affected conducted a transaction between June 1, 2014 and September 4, 2014. There was no evidence that customer addresses or security codes being compromised after an investigation was conducted.

For those with questions or concerns call 1-800-626-77741-800-626-7774.

Several large banks notified Staples Inc. of unusual activity on credit and debit cards used at several locations in Northeastern United States.
According to Brian Krebs, Krebs on Security
"According to more than a half-dozen sources at banks operating on the East Coast, it appears likely that fraudsters have succeeded in stealing customer card data from some subset of Staples locations, including seven Staples stores in Pennsylvania, at least three in New York City, and another in New Jersey".
Staples Inc. has more than 1800 stores nationwide and is currently investigating the potential breach.

UPDATE (11/17/2014): It appears that the breach that happened at Staples was conducted by the same cyber criminals that infiltrated Michaels stores. According to Krebs On Security "Multiple banks interviewed by this author say they’ve received alerts from Visa and MasterCard
about cards impacted in the breach at Staples, and that to date those
alerts suggest that a subset of Staples stores were compromised between
July and September 2014."

UPDATE (12/19/2014): After an investigation, Staples Inc. said that nearly 1.2 million customers payment cards. "Staples said Friday that the investigation revealed that the hackers used malware that provided access to information for transactions at 115 of its stores. The hackers stole cardholder names, payment card numbers, expiration dates and card verification codes. The company is offering free identity theft protection services.

Sourcebooks Inc. has informed customers of a breach of their shopping cart software that supports several of their websites. The breach dates were from April 16, 2014 and June 19, 2014. An unauthorized party gained access to specific customer purchase information.

Cyberswim.com notified customers of a data breach to their online ecommerce store and the discovery of customers' personal information being breached.

On September 24, 2014 the company confirmed that an unauthorized individual(s) or entities installed malware on the server hosting their website. This malware was able to access personal information entered by customers when completing a purchase on the site.

Snapsaved.com, a third party vendor to Snapchat, announced that their servers were hacked, which in turn caused thousands of photos and videos from the third party service to show up on the Internet.

"On Sunday, thousands of photos and videos from the Snapchat service were
put online, apparently taken from sites including Snapsaved.com, which
had allowed people to log in using their Snapchat username and password
to offer desktop-based rather than handset-based access to the site -
and also the chance to store photos, which are meant to be deleted
within seconds of being viewed."

Snapsaved posted on Facebook the following:

"I would like to inform the public that snapsaved.com was hacked” due to a
mistake in the setup of its web server. “As soon as we discovered the
breach in our systems, we immediately deleted the entire website and the
database associated with it,” the unsigned statement continues. “As far
as we can tell, the breach has effected [sic] 500MB of images, and 0
personal information from the database.”

The University California Davis Medical Center discovered abnormal activity in the email account of one of their providers. An investigation determined that the provider's email was compromised by an unknown source. As a result, an unauthorized use and access to their system giving them access to communication between the provider and the patients.

The office of Dr. Barry J. Snyder at Penn Highlands Brookville, a healthcare service provider for the Brookville area in Pennsylvania, notified patients of a data breach when a third party accessed the third party vendor's server who maintains records for Dr. Snyder.

The facility is offering free identity monitoring and identity protection services to affected individuals through Kroll Inc. Those affected can call 1-855-401-2640.

Information Source:
PHIPrivacy.net

records from this breach used in our total:
0

October 13, 2014

Oak Park Medical CenterOak Partk, Michigan

MED

DISC

Unknown

Medical files were found by a former customer of a Dr. Pramod Raval, who was indicted in a Medicare home health care fraud scheme. Boxes of full files were dumped outside with massive amounts of patient data still intact.

The medical files included files that contained names, Social Security numbers, X-rays, blood types and addresses.

The local police were notified and the files were scheduled to be shredded.

Sears Holding Corp announced Friday that a data breach occurred at their K-Mart stores starting last month, with malicious software targeting their Point of Sale systems that compromised customers' credit card information.

Currently, Sears Holding Corp is not clear as to the number of affected customer cards and the breach is currently under investigation. K-Mart has said that they were able to remove the malware from their systems.

K-Mart is working currently working with federal investigators.

For those with questions, they are asked to call K-Mart's Customer Care Center at 1-888-488-5978.

The Sausalito Yacht Club notified its members of a data breach to their online member roster. The information on the roster included member names linked to private Sausalito Yacht Club member numbers. These two pieces of information together allows for the charging of beverages, goods, services and meals at the club. Additionally, members personal contact information, financial information, including accounts receivable information could have been obtained.

Currently, the breach is under investigation and depending upon what is found, the club may issue new cards and account numbers.

For those affected with questions they may call General Manager, Dave Martel at 1-415-332-7400 or by e-mail at gm@sausalitoyachtclub.org.

Information Source:
California Attorney General

records from this breach used in our total:
0

October 10, 2014

Oregon Employment Department/WorkSource OregonPortland, Oregon

GOV

HACK

850000

The Oregon Employment Department, specifically WorkSource Oregon, discovered a data breach of a data base that contained personal information of individuals searching for jobs when an anonymous tip came in alerting officials of the breach.

Social Security numbers of more than 850,000 individuals were compromised in the breach. Officials shut down the website and were investigating the breach.

The Georgia Department of Behavioral Health and Developmental Disabilities (DBHDD) notified individuals of a data breach when one of their departments laptops was stolen out of a car of an employee who was attending a conference.

The Department of Human Services' Office of Behavioral Health in Denver Colorado notified individuals of a data breach when a postcard mailing went out to individuals as part of a survey. The cards were specifically addressed to individuals receiving behavioral health services through DHS office and mailed in post-card format.

This information is considered to be protected health information. According to the DHS no Social Security numbers or financial information was on the cards.

The company received a complaint of credit card fraud from a customer and launched an investigation by a data forensics expert. The investigation revealed that the administrative portion of the Evolution e-commerce site was accessed by an unauthorized third party that was using administrative credentials exposing customer order information.

The information exposed included names, email addresses, phone numbers, billing addresses, shipping addresses, order information, and credit/debit card information, including the CVV numbers on the backs of the cards.

For those affected, the company is offering AllClear Secure for 12 months at no cost. For those with questions, call 1-877-322-82281-877-322-8228.

The South Texas Veterans Health Care System informed 4,000 patients of a data breach to their personal information.

"South Texas Veterans Health Care tried to send veterans notices on
September 15 to explain a new federal rule of Hydrocodone combination
they need to be aware of. But in the process of printing the letters,
they mistakenly came out double-sided and had one unique veteran’s
information on one side and another veteran’s on the other."

The information breach included full names, addresses and the type of prescription drugs.

U.S Health Holdings, Ltd. on behalf of Macomb County Michigan has suffered a breach when an accidental disclosure of of personal informaton was posted on the Michigan Inter-Governmental Trade Network ("MITN") website.

The Albertina Kerr Centers have notified individuals of a breach when two of their laptop computers and a cell phone were stolen from the Albertina Kerr's campus.

The laptops contained medical information identifying individuals, the diagnoses they received and treatements applied. The theft took place in August of 2014 when an individual or individuals broke into one the facilities offices at the Kerr's crisis psychiatric care facility. According to the facility these laptops did not contain Social Security numbers or financial information.

The center is offering a year of free identity theft security monitoring. For those affected they can call 1-888-276-0529.

Brian Krebs of Krebs On Security notified MBIA of a breach that exposed numerous customer account numbers, balances and various other sensitive data due to a misconfiguration on a company Web server.

"Much of the information had been indexed by search engines, including a
page listing administrative credentials that attackers could use to
access data that wasn’t already accessible via a simple Web search."

MBIA is one of the largest bond insurers, that offers municipal bond insurance and investment management products and services companies such as Aetna and Fireman's Fund.

The company has since shut this website down and is currently investigating. No information is available to the number of individuals that may have been affected by the breach.

AT&T is at the center of another data breach to their system, this time, by an internal employee.

AT&T has announced that one of its staff members accessed account information of customers, which included Social Security Numbers, drivers license numbers, unique customer numbers, known as Customer Proprietary Network Information (CPNI), which includes information such as times, dates, durations and destination numbers of every call made. No specific numbers have yet been released.

UPDATE (10/7/2014): The Vermont Attorney General posted that 1,600 letters went out to customers regarding the recently announced data breach that happened in August of 2014 by an employee of AT&T. The employee has since been fired and the breach is still under investigation.

Mount Sinai Beth Israel announced a data breach when a laptop computer was stolen from a staff room. According to the facility the laptop was password-protected but not encrypted.

The patient information housed on the laptop included patient names, dates of birth, medical record numbers, dates of service, procedure codes and description of procedures along with clinical information about patient care received. The facility has stated that patient Social Security numbers, insurance information, addresses and phone numbers were not stored on this particular laptop.

Touchstone Medical Imaging notified patients of a data breach as a "result of an open share that was exposed to the Internet."

The information exposed included Social Security numbers, names, addresses, dates of birth, and phone numbers. The center stated that no medical information was stored in this exposed folder. They are not sure if any financial information was contained in this folder.

Community Technology Alliance (CTA) is notifying individuals of a potential compromise of their personal information, when an employee's laptop was stolen on July 28, 2014.

CTA is a non-profit organization that administers the Bay Area Homeless Management Information Systems (HMIS) and helps hundreds of partner agencies. The information in HMIS can include names and Social Security Numbers, and various other pieces of personal information.

If services were being received from an HMIS Partner Agency in Santa Cruz California, those individuals are the ones at risk. The partner agencies include the following:

Flinn Scientific, an ecommerce site focused on scientific materials for teachers and students, notified customers of a data breach to their online payment system when a cyber attacker inserted malware to gain access to the server that hosts payment information.

The Provo City School District notified employees of a "phishing" attack Monday September 29, 2014 which allowed access to employees email accounts. Some employee email accounts contained files that may have had personally identifiable information.

Currently the school district is investigating the breach and notifying those affected.

Fort Hays State University has notified 138 of it's graduates that their personal information may have been compromised when personal information was "accidentally" exposed on the Internet. The information exposed included Social Security Numbers and various other pieces of personal information.

The university stopped storing Social Security Numbers of students five years ago, however anyone who attended the university prior to 5 years ago, their SSN information is still part of the university database.

AB Acquisition LLC announced the discovery of a separate criminal investigation involving payment cards of customers who shopped at Albertsons stores, ACME Markets, Jewel-Osco, Shaw's and Star Markets. The company has discovered that a different malware was used in some of the stores than what was discovered in the recent data breach incident on August 2014. This breach is more recent than the August breach and appears to have happened at the end of August, beginning of September 2014.

The company has different point of sale systems at the different locations. Reportedly Albertson stores in Arizona, Arkansas, Colorado, Florida, Louisiana, New Mexico, Texas and their two Super Saver Food Stores in Northern Utah were not affected.

Those stores that were affected includes Albertsons stores in Southern California, Idaho, Montana, North Dakota, Nevada, Oregon, Washington, Wyoming and Southern Utah. In addition, ACME Markets in Pennsylvania, Maryland, Delaware and New Jersey were affected, along with Jewel-Osco stores in Iowa, Illinois and Indiana and Shaw's and Star Markets stores in Maine, Massachusetts, Vermont, New Hampshire and Rhode Island.

The timeframes of the breach are August 27, 2014 through September 21, 2014. The company is offering free credit monitoring for one year with AllClearID at no cost to those who were affected. For questions, call 1-855-865-4449.

"American Family Care of Birmingham is alerting customers following the
theft of two laptops containing sensitive information from an employee’s
vehicle earlier this summer".

The information on the laptops contained personal information of patients specifically related to work injuries, physicals, immunizations and drug screens. The lap top also included the names, dates of birth, addresses, phone numbers, medical record numbers, Social Security Numbers, additional medical information, insurance information, driver's license numbers and dates of service.

The University of Florida and Texas Health and Human Services Commission (HHSC) a cooperative project called the Texas Wellness Incentives and Navigation (WIN) Project for Medicaid patients, notified patients of a data breach.

The University of Florida, acting as a partner of HHSC, sent letters to Houston area physicians requesting health records. Unfortunately, due to a database merging error, some of those health record requests were sent to the wrong physicians.

The information shared with the incorrect physician included names, Medicaid STAR+PLUS identification numbers, and dates of birth.

Those affected with questions can call 1-866-876-HIPA1-866-876-HIPA (4472).

BayBio.org has notified individuals of a data breach to their online payment system. The non-profit organization has notified that the hacking to their payment system compromised credit card numbers in process.

The hacker inserted files that captured keystrokes of visitors to their site which included credit card numbers when individuals were either paying for a membership or an event being held by the non-profit. Payments are being taken by phone until the breach has been repaired.

Viator Inc, was notified of a data breach by their credit card service provider when they had received numerous complaints of erroneous charges to accounts. Their investigation lead to seeing fraudulent charges to Viator customers via their online payment processing system.